views:

77

answers:

1

I am making a software as a service using Spring 3.0 (Spring MVC, Spring Security, Spring Roo, Hibernate)

I have to come up with a flexible access control list mechanism.I have three different kinds of users

  • System (who can do any thing to the system, includes admin and internal daemons)
  • Operations (who can add and delete users, organizations, and do maintenance work on behalf of users and organizations)
  • End Users (they belong to one or more organization, for each organization, the user can have one or more roles, like being organization admin, or organization read-only member) (role like orgadmin can also add users for that organization)

Now my question is, how should i model the entity of User?

If I just take the End User, it can belong to one or more organizations, so each user can contain a set of references to its organizations. But how do we model the users role for each organization,

So for example User UX belongs to organizations og1, og2 and og3, and for og1 he is both orgadmin, and org-read-only-user, where as for og2 he is only orgadmin and for og3 he is only org-read-only-user

I have the possibility of making each user belong to one organization alone, but that's making the system bounded and I don't like that idea (although i would still satisfy the requirement)

If you have a better extensible ACL architecture, please suggest it. Since its a software as a service, one would expect that alot of different organizations would be part if the same system. I had one concern that it is not a good idea to keep og1 and og2 data on the same DB (if og1 decides to spawn a 100 reports on the system, og2 should not suffer) But that is some thing advanced for now and is not directly related to ACL but to the physical distribution of data and setup of services based on those ACLs

This is a community Wiki question, please correct any thing which you wish to do so. Thanks

A: 

There is nothing wrong with one user can belong to multiple organizations and he/she can have multiple roles within one organization. In a typical Role-based Access Control model, you can have groups. And roles can either be a global role (like system admin), or only be effective within a group. You protected data elements need to be split into groups correspondingly. When the user access one data group, you will first check if he/she has rights to that group. Then load the his/her rights for that group. This is hard to do with spring security acl unless you extend it with your own aclservice. It's just like the spring acl filter's performance issue. Eventually, you'll have to wire some of your security into your business logic one way or another.

h0cked
Thanks. How can one implement roles which are them selves defineable in database then.I would like the ability for an end user, who can admin certain entities to make new roles and assign read and write capabilities to certain roles on the fly.
geoaxis